Hello, Am Sonntag, 5. Februar 2023, 16:50:54 CET schrieb Arjen de Korte:
I noticed openssl-1_1 is involved, isn't it newly introduced in Tumbleweed? No, this is fallout from a change in AppArmor and requires changes to
Citeren Freek de Kruijf
: the usr.lib.dovecot.imap-login (and usr.lib.dovecot.pop3-login).
The AppArmor profiles for dovecot didn't change recently, therefore I'd
say that it's caused by a change in dovecot or even openssl ;-)
Actually it is a change in openssl:
# rpm -q --changelog openssl-1_1 | head
* Mi Dez 14 2022 Pedro Monreal
Filed a bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=1207911 Patch and workaround added to this bug and SR#1063271 will fix this.
Thanks, but I'm afraid I'll have to decline your SR ;-) It would work, but it would make the profile too permissive. Especially allowing to read ssl certificates and keys are things I'd like to avoid unless it's really needed. If I get your error message (and what I see on my own system) right, then dovecot "only" needs to read /etc/ssl/openssl-1_1.cnf. Therefore the better fix is to add /etc/ssl/openssl-1_1.cnf r, to the dovecot-imap-login and dovecot-pop3-login profiles. Actually it would be even better to add it to abstractions/openssl. If you want a hotfix that doesn't cause *.rpmnew files: echo '/etc/ssl/openssl-1_1.cnf r,' > \ /etc/apparmor.d/abstractions/openssl.d/boo1207911 rcapparmor reload I just submitted SR 1063514, so the fix should arrive in Tumbleweed soon. Regards, Christian Boltz -- By basic sanity check I meant error/warning messages which can be understood by mere simple human beings from planet earth [Cristian Rodríguez in opensuse-packaging]